Case Of The Hushed HaX0r - Part V

"Well, so much for that idea." Soandso mumbled as he tried to use the key extracted by stegdetect on the PGP file. Denied! "I expected as much - this was just the passphrase to place another file within the image." I replied, not paying attention to what Soandso was typing. "What were you saying about door? Where are you going with this?" Soandso said as he leaned back over to get a view of my laptop screen. "Take a look." I said as I swung my laptop around and opened yet another rxvt window.
$ outguess -k "helpusobiwan" -r r2d2.jpg hax0r.txt Reading r2d2.jpg.... Extracting usable bits: XXXXX bits Steg retrieve: seed: XXXX, len: XXXX "What the..." Soandso said as he held his chin in his right hand. "You mean the SOB really did hide a text file INSIDE of that picture? How the..." "Hold on." I said as my fingers eagerly started a 'vi' session for 'hax0r.txt'. Up came 'vi' in no time flat (because it's better than emacs - kidding!) and we were staring at a single phrase: "d0ntb3l00k1ngAtMystuffa55h0l3s" "Is THAT the passphrase Chief?" Soandso said. He was nearly trembling with excitement at this point. "Let's find out." I said as I turned around in my chair to the forensic workstation that contained the forensic image of Nick's linux machine.
$pgp --decrypt /home/haX0r/dump pgp: no valid PGP data found. pgp: decrypt_message failed: eof The passphrase wasn't working. Well, NOTHING was working. "Big surprise - because that's what it was doing for me too." Soandso said. I blinked. Now he tells me. Using the notes from the HP's forensics team, I read them carefully this time:
The examiner was quoted as finding "a large 1.8GB file: /home/haX0r/dump" that "... appeared to be a PGP-encrypted filesystem image." Emphasis on APPEARED. Grrrr. I need more coffee. I was removing my arse from the chair and explaining to Soandso what was going on when I sat right back down. "Hold the phone - he's smart but lazy. I have a few other tools to try real quick." I said as I let my fingers fly accross the keyboard. I tried the typical tools and configuration options, but I saved the obvious one for last: bestcrypt. I had seen this used in several other cases, and it was pretty powerful for thwarting unauthorized access to files, considering the encryption algorithms that it supports.
$ su - Password: #mkdir /root/haX0r # bctool mount dump /root/haX0r/ Enter password: [d0ntb3l00k1ngAtMystuffa55h0l3s] #ls -la /root/haX0r/ drwxrwxr-x 5 root root 4096 Dec 7 11:01 . drwx------ 63 root root 4096 Dec 7 11:34 .. drwx------ 1 root root 858 Dec 7 storez We're in. (Aside) Talk about pins and needles. The events in this entry seem to go by very fast, however this was one long afternoon. Questions to consider: 1) Why did the HP and their consultants automatically assume that the file was a pgp file? 2) Where was my slip-up early in the case? It goes to show you that no matter how many cases you've worked on, _________________ (fill in the blank *grin*). Should I have been peering over shoulders? 3) Why do you think Nick used bestcrypt? Security through obscure toolsets? 4) Would you have handled anything differently? Note: NONE of the tools that I used here were found on Nick's / (root) filesystem. How was Nick doing what he was doing with no tools on the system? Time for a latte. (/Aside)